OMB following a familiar path as it shapes new financial internal controls

Jason Miller on the Federal Drive with Tom Temin and Emily Kopp.

The Office of Federal Financial Management is taking a page out of the
cybersecurity reform book in how it's changing how agencies oversee spending.

OFFM is updating its Circular A-123 guidance to be more like the future vision of
cybersecurity — based on risk and data, and done more than every three
years.

Mike Wetklow, the chief of the accountability performance branch at OFFM in the
Office of Management and Budget, said there are several guiding principles going
into the revision, including integrating an internal controls framework, reducing
the compliance burdens and innovation through data analysis.

"Many of these principles we are putting in practice, we're going to have examples
of charge cards, improper payments and data analytics," said Wetklow during a
panel discussion at the Association of Government Accountant's Internal Control
and Fraud Prevention Training event Tuesday in Washington. "We have a lot of
things we are trying to do differently like, for example, with Hurricane Sandy
last year. There was a memo earlier in the year about internal control plans. A
lot of our discussions were we didn't want to make this a new Recovery Act or have
this big compliance exercise right in the middle of disaster response, but to
really use the internal controls as a risk management tool. We didn't ask agencies
to document their control environment, the risk assessment, the control
activities, the full gauntlet of all those things. We asked them to simply do a
thoughtful analysis of their risks that came about from the extra funding that
went into their programs, and just work with OMB on that."

Similarities to cyber

Federal financial management and cybersecurity policy face similar challenges.
Both need to keep up with the changing environment and expectations, and move from
a static to a dynamic approach.

The administration is updating federal cybersecurity standards by moving toward a
data analysis and risk management approach. The Homeland Security Department is
leading the implementation of continuous monitoring on agency
computer networks to move away from the static nature of the Federal Information
Security Management Act.

Like FISMA, A-123 turned into a static process.

A-123 is a 30-plus-year-old policy from OMB regarding how agencies, and
specifically CFOs and their budget staffs, handle the oversight of money,
otherwise known as internal controls. Internal controls ensure agencies meet
policy and legislative requirements for financial reporting and the effectiveness
and efficiency of programs.

OMB last revised A-123 in 2004 after Congress passed the Sarbanes-Oxley bill.

Experts say this latest set of changes is part of the pendulum that seems to swing
every decade or so between more or less reporting requirements.

"We definitely will have to beef up the existing circular because it's just too
high level and doesn't really tell you how to implement an integrated risk
framework, it doesn't tell you how and it's OK to integrate FISMA stuff with the
system security work you do on financial reporting. We are just collecting our
thoughts," Wetklow said. "We want to move away from you having to do everything
over three years and have this compliance mindset to a more of a risk-based
framework to allow agencies the flexibility in how they implement the circular. We
are not exactly sure of the format, other than the full circular will need to be
updated."

Canceling systems requirements

He said one of the biggest changes is what is being added to A-123 to meet the
intent and spirit of Congress when it wrote the Federal Financial Management and
Improvement Act (FFMIA).

"In the near term, and this will be literally in a couple of weeks, we plan to
rescind OMB Circular A-127 and replace it with a new Appendix D to A-123," Wetklow
said. "And if you ask yourself, why A-123? When you read the committee report [to
FFMIA], it talks a little about financial systems. It talks more about internal
controls, business processes, and visibility into government operations. Our hope
in what we are doing is we are going to reduce compliance burdens by getting rid
of all of these complicated checklists that only serve to drive system's costs and
risks, and integrate our processes with the already existing things in A-123."

A-127
addresses financial management system requirements. OMB slowly has been moving
away from strict financial management system requirements, and focusing more on
standards and outcomes over the last decade.

He said A-123 also will need to be integrated with several other initiatives
including new credit card abuse guidance OMB issued last week, improper
payment laws that includes the Do Not Pay list and other changes to financial
oversight that have come over the past 10 years.